North Korean Hackers Target Phemex Crypto Exchange

North Korean hackers are potentially behind the multi-million dollar exploit of the Phemex crypto exchange, according to multiple blockchain security experts. On Thursday, the Singapore-based exchange was breached, losing over $70 million worth of various cryptocurrencies.

The Singapore-based exchange halted withdrawals earlier on Thursday after being alerted to suspicious activity from several blockchain security firms. Around $30 million had been drained at the time, though it appears the attack continued and more tokens were stolen.

“As we look into a report on one of our hot wallets, rest assured our cold wallets remain safe and can be checked by everyone here. We will post more updates shortly,” Phemex CEO Federico Variola said on X.

The attack appears to follow a similar threat model seen in other prominent crypto exchange exploits.

“Every theft or scam has its own particular on-chain behavior that can tell you a lot about what might have happened, how many people are involved, and indicate whether the threat actor is more or less experienced,” Taylor Monahan, the principal security researcher for MetaMask, told The Block.

“In this case, we see a massive amount of distinct assets drained simultaneously across a multitude of chains. The tokens are then immediately swapped for the native asset, starting with the freezable stablecoins and then working down the list by value,” Monahan added.

Like many attacks, the attackers appear to have gone after big-ticket assets first, draining BTC, ETH, and SOL early on alongside stablecoins. Notably, they quickly swapped millions in stolen USDC and USDT, which can be frozen, for ETH.

Over time, attackers went after less known tokens, with the last three transactions involving $1,000 worth of ARPA, $997 worth of ZRC, and $1,020 worth of NKN. Hundreds of different tokens were stolen, often leaving pennies of lesser-known altcoins in the exchange’s wallets.

“All of this activity is happening simultaneously, but it’s not scripted,” Monahan said. “Assets are manually sent to new addresses for swapping and then passed along to another fresh address once they are done. Those assets will sit until the real laundering team picks them up next week or next month.”

Due to the number of transactions and wide range of blockchains targeted, this attack was likely perpetrated by “a group of threat actors who have done this many times before,” Monahan said.

SomaXBT.eth, a pseudonymous “crypto threats investigator,” suggested that a group affiliated with or based in North Korea is likely behind the attack.

“The attack vector is similar to their attacks,” he said. “I never saw their activity on other chains.”

Another anonymous security researcher noted that the attack reminded them of TraderTraitor, the state-sponsored group the FBI believes is behind the $308 million attack on Japanese trading platform DMM.

According to Etherscan, at least 275 transactions involved EVM chains, with at least eight addresses used to drain assets on the Ethereum base chain alone, alongside addresses for Layer 2s such as Arbitrum, Base, Polygon, Optimism, and zkSync.

The main wallet associated with the attack, beginning with 0x5b34, saw at least $44 million flow through it, including addresses for draining assets on Avalanche, Binance Smart Chain, Polkadot, Solana, and Tron.

At least $16 million worth of SOL, $12 million in XRP, and $5 million in bitcoin were stolen, according to various blockchain explorers.

Phemex still holds approximately $1.8 billion worth of crypto assets, primarily in its exchange token, PT, which accounts for $1.1 billion. Its next largest holdings include $355 million in bitcoin and $209 million in USDT.

The exchange, ranking 55th by volumes and 37th on CoinGecko’s trust score, said it is “working on a compensation plan” for those impacted by the hack.

The transactions involving addresses connected to the exploit appeared to have stopped around 10:00 AM ET, midnight Pyongyang time.